GitHub Overhauls npm Install to Thwart Supply-Chain Attacks
GitHub is introducing significant security enhancements to npm v12, set to block automatic script execution and dependency fetching during 'npm install' to combat supply-chain threats.
GitHub has announced a major security overhaul for its npm package manager, with version 12 slated for release next month. The update introduces a series of changes designed to significantly bolster defenses against the growing threat of supply-chain attacks that exploit the 'npm install' process.
The 'npm install' command, a fundamental step for developers to download and set up project dependencies, has become a prime target for attackers. This is due to its capability to automatically execute scripts defined within packages, providing a potent vector for malicious code injection during the installation phase.
Under the new default settings in npm v12, automatic execution of preinstall, install, and postinstall scripts will be disabled. This also extends to native module builds via node-gyp and prepare scripts for Git, local file, and linked dependencies. Developers will now need to explicitly approve these actions, shifting from a trust-by-default model to a more secure explicit-approval mechanism.
Furthermore, npm v12 will cease fetching dependencies directly from Git repositories unless explicitly permitted. This change aims to close a significant attack path where malicious .npmrc files could manipulate the Git executable used during installation, even when install scripts were disabled. Similarly, dependencies fetched from remote URLs, such as HTTPS tarballs, will also require explicit permission, preventing their automatic resolution.
These stringent new defaults are poised to disrupt numerous attack techniques that have been prevalent in recent supply-chain compromises. This includes malicious script campaigns targeting popular packages like eslint-config-prettier, Toptal's Picasso packages, and various data-stealing npm packages. The changes also address abuse of Git dependencies seen in campaigns like Shai-Hulud.
Projects that legitimately rely on the automatic execution of these scripts or Git/remote URL dependencies will need to take action to explicitly opt in to these behaviors before upgrading to npm v12. GitHub recommends that developers prepare for this transition by upgrading to npm 11.16.0 or newer. This version displays warnings for actions that will be blocked in v12, allowing developers to identify and address potential workflow disruptions during their normal installation routines.
By requiring explicit approval for script execution and dependency sources, GitHub aims to create a more resilient software supply chain. This proactive approach forces developers to be more aware of the dependencies they are incorporating and the potential risks associated with them, thereby reducing the attack surface for malicious actors.